Reword changelog entry for follow relationship bug
authorrinpatch <rinpatch@sdf.org>
Thu, 30 Apr 2020 21:28:28 +0000 (00:28 +0300)
committerrinpatch <rinpatch@sdf.org>
Sat, 2 May 2020 16:05:13 +0000 (19:05 +0300)
CHANGELOG.md

index 54a0561b3695a714bd3f91fa44d6ad36a1508cc1..9279c1af0765745d94e935da99cd7cb664c74c60 100644 (file)
@@ -37,11 +37,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Filtering of push notifications on activities from blocked domains
 
 ## [unreleased-patch]
+### Security
+- Mastodon API: Fix `POST /api/v1/follow_requests/:id/authorize` allowing to force a follow from a local user even if they didn't request to follow
+
 ### Fixed
 - Logger configuration through AdminFE
 - HTTP Basic Authentication permissions issue
 - ObjectAgePolicy didn't filter out old messages
-- Mastodon API: do not create a following relationship if the corresponding follow request doesn't exist when calling `POST /api/v1/follow_requests/:id/authorize`
 
 ### Added
 - NodeInfo: ObjectAgePolicy settings to the `federation` list.